Re: D/DoS mitigation hardware/software needed.

["Dobbins, Roland" <rdobbins () arbor net>]

On Jan 5, 2010, at 10:18 AM, Suresh Ramasubramanian wrote:

> 5 Ditch the stateful firewall and exclusively use a netflow device

NetFlow analysis is very useful for network visibility, and detection/classification/traceback.  There are both 
open-source and commercial NetFlow collection and analysis systems available (full disclosure:  I work for a vendor of 
both NetFlow analysis and DDoS mitigation solutions); however, they don't provide mitigation, which is where S/RTBH, 
flow-spec, and/or IDMS come into play.

PCI DSS iatrogenically *requires* that a 'Web application firewall' be placed in front of Web servers which process 
credit card information (PCI DSS completely ignores availability, and contains a number of recommendations which are 
actually harmful from an opsec standpoint).  Running mod_security or its equivalent on the front-end Web servers 
themselves fulfills this requirement without putting a stateful DDoS chokepoint in front of the servers.

It's also a really good idea to front Web servers with a tier of caching-only transparent reverse proxies; Squid is a 
good choice for this, as well as various commercial offerings.  WCCPv2 clustering (supported by Squid and several 
commercial caching/proxying solutions) allows this tier to be scaled horizontally in order to meet capacity demands.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken